More Surveillance Isn鈥檛 the Answer to the SolarWinds Hack
An extensive hacking campaign, purportedly conducted by Russian hackers, has infected the computer systems of numerous U.S. government agencies, , and other businesses that were running an insecure version of network management software distributed by the SolarWinds company. The widespread hack went undetected for months. Predictably, in response to the hack, current and former government officials are to gauge public receptivity to a favorite, all-purpose, government go-to proposal: more surveillance.
The head of the National Security Agency and Cyber Command, General Paul Nakasone, that the U.S. was handicapped in finding malicious traffic on government systems because intelligence agencies cannot liberally conduct warrantless surveillance on domestic networks. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger respecting privacy rights enables hackers who launch attacks from inside the United States. And Glenn Gerstell, former general counsel for the NSA, that Congress should give the agency new authority to comb through domestic networks when there鈥檚 suspected foreign activity.
We don鈥檛 need even more surveillance. The existing surveillance apparatus is already expansive and especially dangerous to communities of color, Muslims, and immigrants. What we do need is for government agencies to stop making excuses and get their own security practices in order. Why should we believe that even more spying on the public internet will help uncover attacks when the government failed to find and catch the hackers on its own sensitive networks? Experts say more spying isn鈥檛 the answer. As Katie Moussouris, founder and CEO of Luta Security , 鈥淭he NSA capabilities failed to detect [the attack] in government systems where they鈥檙e supposed to be looking.鈥 She鈥檚 right. The problem isn鈥檛 that the government needs the power to roam through private networks, but that it needs to look more closely at its own systems. The call is coming from inside the house.
The overarching problem is weaknesses in the government鈥檚 own cybersecurity practices. For example, its multi-billion-dollar Einstein system scans network traffic for known malicious activity, but isn鈥檛 designed to detect previously unknown malware, such as the trusted-but-backdoored SolarWinds code. The Government Accountability Office pointed this out along with other problems with Einstein , but the problems haven鈥檛 been fixed. Federal agencies aren鈥檛 taking basic security precautions or managing posed by compromises of the companies they do business with. This and other weaknesses in the government鈥檚 network defenses have been .
The problem isn鈥檛 that NSA鈥檚 network defense activities stop once an attacker moves the operation entirely inside the United States. There is already between federal agencies on domestic cybersecurity. The Department of Homeland Security already has authority to combat cybersecurity attacks on domestic networks with the private companies that operate those networks, using information provided by the NSA under its existing surveillance programs.
Nor is the problem inadequate surveillance, considering how much surveillance the government already does. According to news reports, the NSA has attempted to . The agency also the main communications links that connect Yahoo and Google data centers around the world. These are just two examples, hardly the entire output of the NSA鈥檚 network attack team, called the unit.
Nor have surveillance proponents convincingly made the case that the government should be entrusted with even more spying powers. History shows that laws meant to regulate foreign intelligence collection are typically broad and vague 鈥 and therefore prone to abuse. The government鈥檚 interpretations of its power are rarely reviewed by a judge, never mind by Congress or the public. The U.S. government has repeatedly exploited legal ambiguities like these. Rather than go to courts or Congress to ask permission for novel surveillance techniques or programs, intelligence agencies have usually assumed that anything not expressly prohibited is allowed. They have justifications for programs they wanted to pursue 鈥 such as the now-defunct Section 215 phone record dragnet and bulk collection of American鈥檚 internet traffic 鈥 and then pursued those policies, preferring to ask for forgiveness rather than permission. That is assuming they are ever caught.
Against the fledgling cries for increased surveillance, the Biden administration does not currently plan to ask Congress for new cybersecurity authorities. Hopefully that is because the administration realizes that it needs to dramatically improve the country鈥檚 network defenses using all the powerful tools already at its disposal. Our response to the 鈥渕ore surveillance鈥 trial balloons should be 鈥渘o.鈥 The American public should not be seduced by this false, dangerous promise.